Yeah that was me. Now that I'm done with school I can start working on this again.

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Mon Mar 23, 2015 11:01 pm

That's great! I'm sure that whatever you guys come up with--together or individually will be helpful to ClamWin and the open source community. Let us know if there's anything we can do to help--testing, suggestions....

Regards,

ROCKNROLLKID

Joined: 23 Sep 2013

Posts: 562

Location: **UNKNOWN**

Posted: Tue Mar 24, 2015 2:05 pm

Another suggestion I thought of, it would be nice if you could find a way for ClamWin to have a real-time protection and still be compatible with other AVs, this way it can be used as a primary or still be used as a secondary.

For bad sites filter, I would just use Google bad sites and use the updates ClamAV offers because I think ClamAV adds some more stuff to it themselves or you can also use the one off Malware Domain. I know Chrome and Firefox browsers both use Google bad sites and IE uses a smart screen filter and active x filter, as well, so maybe a bad sites filter might not be needed.

If you wanted to, you could use easy list and easy privacy for ad blockers, but that is optional. Some of the IP filters on iblocklist and the HOST file from MVPS are also capable of blocking ads, too.

Not sure what to do about this. I have a standard code signing cert from Global Sign that I've used for Hazard Shield's driver, but I doubt an individual will be able to get an EV certificate.

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Tue Mar 24, 2015 10:56 pm

You could do some blocking via web context. For reference, see the Sophos technical paper at http://www.sophos.com/en-us/why-sophos/our-people/technical-papers.aspx on the web from 2013. This is in keeping with the Clam Sentinel simple heuristics concept, but I never could get either developer Andrea Russo or the ClamWin team interested in it. I was particularly interested in the use of TLD names, etc. to detect "bad" sites. This would be like frosting on the cake, however--the real-time filter, basic PE file heuristics, and overt web site blocking should probably come first.

Regards,

ROCKNROLLKID

Joined: 23 Sep 2013

Posts: 562

Location: **UNKNOWN**

Posted: Tue Mar 24, 2015 11:18 pm

You can probably just hold back on Windows 10 for awhile. Some AVs usually wait a few months before doing a newer OS so they can prepare first before jumping the gun.

By the way, where were you getting your signatures for Hazard Shield? Did you find them yourself or were you getting them from VT or other AV companies? I know anti-spyware software usually have a easier time finding signatures then AVs do because spyware and adware are less common.

xqrzd

Joined: 18 Feb 2013

Posts: 43

Posted: Wed Mar 25, 2015 1:08 am

I would just create them myself. Most samples I got from user submissions and crawling through sites like malc0de.

ROCKNROLLKID

Joined: 23 Sep 2013

Posts: 562

Location: **UNKNOWN**

Posted: Wed Mar 25, 2015 1:41 am

You can also try MalShare. I like using that site because they give you the MD5, SHA1, SHA256 and SSDEEP hashes already. When I signature make for ClamAV, I go to that site.

Do you have plans to start Hazard Shield up again?

xqrzd

Joined: 18 Feb 2013

Posts: 43

Posted: Wed Mar 25, 2015 7:51 pm

I'm still working on Hazard Shield while I'm waiting for Platonic details, although probably Hazard Shield's functionality will just be integrated into Platonic/ClamWin.

Hi guys

stormzy

Joined: 09 Mar 2015

Posts: 3

Posted: Fri Mar 27, 2015 8:58 am

Sorry I took so long to reply, i've been fixing Pc's at a local clinic and one of them is giving me a hectic time with the internal hard drive.

xqrzd: I appreciate sharing of your sources.
My project currently is aiming at adding realtime scanning to ClamWin, and if am not mistaken, I think that Hazard Shield must already have this feature.

EDIT:
xqrzd:I almost forgot, the entire project is opensource and C/C++ should be just fine anywhere within the system, I usually don't like using other languages especially Python,Delphi(which I find in UI's of most antiviruses),this makes me lazy to go back to C/C++, I think they are somehow too objective oriented and cannot also be used for System Level Developement.

So here is how I think we should go about this issue.
We make the User Interface in QT library and call this the Platonic User Interface, which should include themes plugins etc. Then we use Hazard Shields Realtime Monitoring Engine to monitor application activity which should be equivalent to ClamSentinel in terms of perfomance, lastly we use ClamAv's scanning engine (still running as a daemon)which I think will need some work since it's not as efficient as I would have wanted it to be. As in false positives and scanning time/Perfomance.

I think that our main objective should be coming up with at-least a different look to the whole User Interface, and Implementing realtime monitoring plus a few more features/tweaks, If we improve scanning perfomance (Clamscan) it should at-least match Essentials or be better, I think this should make our anti-virus more popular and thus we will be able to get more support from the open source community.

ROCKNROLLKID

Joined: 23 Sep 2013

Posts: 562

Location: **UNKNOWN**

Posted: Fri Mar 27, 2015 1:59 pm

As long as the project remains open-source and you share your coding with the rest of the Clam family, you have my support on this. Let us know when beta testing is ready and I will help test out before the first public release.

ROCKNROLLKID

Joined: 23 Sep 2013

Posts: 562

Location: **UNKNOWN**

Posted: Fri Mar 27, 2015 4:46 pm

Another idea would be some self-protection. Clam Sentinel does not have this because we felt it was unneeded due to how small it is and many malware aren't bothering, but I feel we should not underestimate malware writers and take all per-cautions. The Clam family is growing and I feel it should be done, sometime.

Also, have you thought about naming it apart of the clam family, like ClamPlan or something? I know there is Clam Sentinel, ClamWin, ClamAV, ClamTK, and GPM Clam already (also Amiti Anti-virus is apart of the Clam family but doesn't use Clam name), but maybe you could the same? Just an idea to be an official Clam family. I figured ClamPlan would fit since you are using this for the future of the Clam family and all the ideas/plans are being built here.

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Fri Mar 27, 2015 5:17 pm

Re: self protection, at the present time, I would just do an automatic scan of the AV program folder upon startup. You could include this self-scan anytime a scan is required/requested. This will not detect injecting Trojans, but I think that is unlikely. The AV will not be on any malware radars for a while. It is more likely it would be killed via a registry change by malware.